Join us to discuss and ask questions on ASA Firewall. Our guest for the forum is Jitendriya Athavale. Jitendriya has been working with TAC for the last 2 years. He works in FW-IDS team and supports customers in APAC region. His area of expertise is ASA-Firewalls .
We will cover a wide array of topics including:
ASA Troubleshooting, NAT, ACL, Failover, Upgrade, Management, Routing, Crashes, Performance, MPF and other feature related topics.
What is a Facebook Forum?
Facebook forums are online conversations, held at a pre-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.
On the day of the event, go to http://www.facebook.com/CiscoSupportCommunity. Once you go to our Facebook fan page, be sure and click "Like" to become a member of our Facebook community! We'll post a welcome message at the beginning of the event. All subsequent conversations will be posted as comments to this main thread. You can post your questions as comments to this thread as well.
If you do not have a static ip or if you want to use the same ip as the interface ip, then you need to pat it to a specific port on the interface.
static (inside,outside) tcp interface 192.168.1.1
where 192.168.1.1 is your internal ip
You work with a lot of customers. What are some of the most common issues you see from our customers?
This one is difficult to answer because I only cover 6 to 7 hours out of 24 hours, but in general we see issues related to NAT, Failover and Upgrade. Also what I have seen is many times customers are not really sure if firewall is the cause of the problem or if something else in the network is causing it. So as we go ahead I will give out some tips to troubleshoot so that you can find out and isolate the location of the problem
So what are the tools available to troubleshoot and isolate the issue?
For me the top 3 tools would be packet tracer, packet capture and logs. If you use these you should be able to solve most of the problems yourself.
What factors could cause a site to site vpn disconnect on its own? We have a site wherein the tunnel is up but it disconnects after a few days. Sometimes a ping on both sides is sufficient but at other times we need to recreate the whole configuration.
This requires deep investigation, but in general what you can do is generate traffic and try to ping the other end and that see if that brings up the tunnel. If that does not help you will have to enable debugs and see what is going on. Also you can enable captures and see if you are sending out traffic to the other end
Is DPD enabled by default? Is it advisable to have it enabled?
Keepalives are enabled by default. With respect to DPD, make sure that both ends support DPD's.
As a follow up to the above question, what debugs should we enable to troubleshoot vpn scenarios ?
Here are some debugs which will help in troubleshooting ipsec vpn related issues.
debug crypto isakmp 255
debug crypto ipsec 255
If you have more than one tunnel you can enable specific debugs by providing a condition and here is the command to enable conditional debugs
debug crypto condition peer x.x.x.x
where x.x.x.x is the peer ip
We have seen a lot of questions asking about how to use Packet Capture on our Facebook page. Do you have any document on this?
Is there a way to send only a few specific messages to syslog or buffer?
Yes. This is really important for some administrators because they do not want to see everything and are interested in only viewing specific log messages. What you need to do is just define a logging-list and specify your criteria to filter out syslog id's and you can send only specific log messages.
If I have a primary-standby and secondary-active which have been running for a long period of time, is it something to worry about? It’s usually the other way around, isn’t it?
No. It really does not matter. Primary and secondary are just labels. What matters is which is active and it is perfectly fine if secondary is active for a long time.
Is there a downtime required to upgrade a failover pair?
You will need downtime only if it is a major upgrade, for minor upgrades (which do not result in breaking of failover) you don’t need a downtime. But in general it is always a good idea to do upgrades or downgrades in a maintenance window (just to play safe).
With regard to NAT changes in 8.3, if a user migrates from 8.2 to 8.3 or 8.4 does the ASA migrate the commands by itself or will the user need to configure the NAT rules again ?
The ASA is capable of converting the NAT rules but having said that this is a best effort conversion which means there is always a possibility that something might be broken after an upgrade to 8.3 or later from 8.2 and below. That is why we always suggest a maintenance window for this activity and the span of window could vary from network to network
Can you tell a little bit about Smart call home feature? What is it exactly? What does it do? How does it benefit our users?
Cisco Smart Call Home is an award-winning, embedded support feature available on a broad range of Cisco products. This proactive support capability is provided at no additional cost when you have an active SMARTnet Service, SP Base, Unified Computing Support Service, or Mission Critical Support Service contract for the designated products.
Smart Call Home offers:
Visibility into your network through diagnostic reports on Call Home enabled devices
Real-time trouble shooting, alerts, and remediation advice
Automatic generation of Cisco service requests to Cisco technical engineers
Secure, reliable data transport
Personalized web-based portal to review Call Home messages, detailed diagnostics, recommendations, and inventory
The Cisco ASA 5520 performed more than six times better in throughput than the competitive solutions in real-world multi-function threat mitigation
• The Cisco ASA 5520 delivered over three times more 3DES-encrypted VPN throughput than competitors when tested using real-world traffic
• The Cisco ASA 5520 scored 100 percent overall threat-detection success; competitors averaged only 30 to 40 percent
• The Cisco ASA 5520 demonstrated the highest connection-establishment rate, surpassing the closest competitor by more than four times, in real-world, multi-function, threat-mitigation performance comparisons
You can catch the entire discussion on Facebook at
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...